Boyle ccs4 Inppt 07

Chapter 7
© 2015 Pearson Education Ltd.

 Define the elements of host hardening, security
baselines and images, and systems administration.
 Know important server operating systems.
 Describe vulnerabilities and patches.
 Explain how to manage users and groups.
 Explain how to manage permissions.
 Know Windows client PC security, including
centralized PC security management.
 Explain how to create strong passwords.
 Describe how to test for vulnerabilities.
7-2 © 2015 Pearson Education Ltd.

 Inevitably, some attacks will get through
network safeguards and reach individual
hosts
 Host hardening is a series of actions taken to
make hosts more difficult to take over
 Chapter 7 focuses on host operating system
hardening
 Chapter 8 focuses on application protection

7.1 Introduction
7.2 Important Server Operating Systems
7.3 Vulnerabilities and Patches
7.4 Managing Users and Groups
7.5 Managing Permissions
7.6 Creating Strong Passwords
7.7 Testing for Vulnerabilities

 The Problem
◦ Some attacks inevitably reach host computers
◦ So servers and other hosts must be hardened—a
complex process that requires a diverse set of
protections implemented on each host

 What Is a Host?
◦ Anything with an IP address is a host (because it
can be attacked)
◦ Servers
◦ Clients (including mobile telephones)
◦ Routers (including home access routers) and
sometimes switches
◦ Firewalls

 Backup
 Backup
 Backup
 Restrict physical access to hosts (see
Chapter 5)
 Install the operating system with secure
configuration options
 Change all default passwords, etc.

 Minimize the applications that run on the
host
 Harden all remaining applications on the host
(see Chapter 8)
 Download and install patches for operating
vulnerabilities
 Manage users and groups securely
 Manage access permissions for users and
groups securely

 Encrypt data if appropriate
 Add a host firewall
 Read operating system log files regularly for
suspicious activity
 Run vulnerability tests frequently

 Security Baselines Guide the Hardening Effort
◦ Specifications for how hardening should be done
◦ Needed because it is easy to forget a step
◦ Different baselines for different operating systems
and versions
◦ Different baselines for servers with different
functions (e.g., webservers, mail servers, etc.)
◦ Used by systems administrators (server
administrators)
 Usually do not manage the network

 Security Baselines Guide the Hardening Effort
◦ Disk Images
 Can also create a well-tested secure
implementation for each operating system
version and server function
 Save as a disk image
 Load the new disk image on new servers

 Multiple operating systems running
independently on the same physical machine
 System resources are shared
 Increased fault tolerance
 Rapid and consistent deployment
 Reduced labor costs

7.1 Introduction

 Windows Server
◦ The Microsoft Windows Server operating system
◦ Windows NT, Windows Server 2003, and Windows Server
2008
 Windows Server Security

◦ Intelligently minimize the number of running programs
and utilities by asking questions during installation
◦ Simple (and usually automatic) to get updates
◦ Still many patches to apply, but this is true of other
operating systems

Looks like client
versions of Windows
Ease of learning and use
Choose
Administrative
Tools
Tools are called
for most programs
Microsoft Management
Consoles (MMCs)
7-20 © 2015 Pearson

Copyright Pearson Education
Prentice-Hall Ltd.
2013
Name of MMC
(Computer
Management)
Pane with objects under

Tree pane Services (Windows
with snap-ins Firewall selected)
(Services
selected)
MMCs have
standard
user interfaces

 Many Versions of UNIX UNIX
◦ There are many commercial versions of UNIX for
large servers
 Compatible in the kernel (core part) of the
operating system
 Can generally run the same applications
 May run many different management utilities,
making cross-learning difficult

 Many Versions of UNIX
◦ LINUX is a version of UNIX created for PCs
 Many different LINUX distributions
 Distributions include the LINUX kernel plus
application and programs, usually from the
GNU project
 Each distribution and version needs a
different baseline to guide hardening

 Many Versions of UNIX
◦ LINUX is a version of UNIX created for PCs
◦ Free or inexpensive to buy
◦ May take more labor to administer
◦ Has moved beyond PC, to use on servers and some
desktops
LINUX
 User Can Select the User Interface
◦ Multiple user interfaces are available (unlike
Windows)
◦ Graphical user interfaces (GUIs)
◦ Command line interfaces (CLIs)
 At prompts, users type commands
 Unix CLIs are called shells (Bourne, BASH, etc.)
>ls -1
…

7.1 Introduction

 Vulnerabilities
◦ Security weaknesses that open a program to attack
◦ An exploit takes advantage of a vulnerability
◦ Vendors develop fixes
◦ Zero-day exploits: exploits that occur before fixes
are released
◦ Exploits often follow the vendor release of fixes
within days or even hours
◦ Companies must apply fixes quickly

 Fixes
◦ Work-arounds
 Manual actions to be taken
 Labor-intensive, so expensive and error-prone
◦ Patches:
 Small programs that fix vulnerabilities
 Usually easy to download and install
◦ Service packs (groups of fixes in Windows)
◦ Version upgrades

 Problems with Patching
◦ Must find operating system patches
 Windows Server does this automatically
 LINUX versions often use rpm
◦ Companies get overwhelmed by number of patches
 Use many programs; vendors release many
patches per product
 Especially a problem for a firm’s many
application programs

◦ Cost of patch installation
 Each patch takes time and labor costs
 Usually lack the resources to apply all
◦ Prioritization
 Prioritize patches by criticality
 May not apply all patches if risk analysis does
not justify them

◦ Risks of patch installation
 Reduced functionality
 Freezes machines, does other damage—
sometimes with no uninstall possible
 Should test on a test system before deployment
on servers

7.1 Introduction

XYZ
 Accounts
◦ Every user must have an account
 Groups XYZ
◦ Individual accounts can be consolidated into groups

◦ Can assign security measures to groups
◦ Inherited by each group’s individual members
◦ Reduces cost compared to assigning to individuals
◦ Reduces errors

2.
Select a
particular user
1.
Select Users Right-click.
or Groups Select properties.
Change selected
properties.

Member Of tab for
adding user to groups
General tab for the
Administrator
Account
selected
Password and
Account actions

 Super User Account
◦ Every operating system has a super user account
◦ The owner of this account can do anything
◦ Called “Administrator” in Windows
◦ Called “root” in UNIX
 Hacking Root
◦ Goal is to take over the super user account
◦ Will then “own the box”
◦ Generically called “hacking root”

 Appropriate Use of a Super User Account
◦ Log in as an ordinary user
◦ Switch to super user only when needed
 In Windows, the command is RunAs
 In UNIX, the command is su (switch user)
◦ Quickly revert to ordinary account when super user
privileges are no longer needed

7.1 Introduction

 Permissions
◦ Specifies what the user or group can do to files,
directories, and subdirectories
 Assigning Permissions in Windows
◦ Right-click on file or directory
◦ Select Properties, then Security tab
◦ Select a user or group
◦ Select the 6 standard permissions (permit or deny)
◦ For more fine-grained control, 13 special
permissions

Select a
user or
group
Inheritable
permissions
Standard
permissions
Advanced
permissions

 Inheritance
◦ If the Include inheritable permissions from this
object’s parent is checked in the security tab, the
directory receives the permissions of the parent
directory.
◦ This box is checked by default, so inheritance from
the parent is the default.

XYZ
 Inheritance
◦ Total permissions include
XYZ
 Inherited permissions (if any)
 Plus the Allow permissions checked in the
Security tab
 Minus the Deny permissions checked in the
Security tab
 The result is the permissions level for a
directory or file

 Directory Organization
◦ Proper directory organization can make
inheritance a great tool for avoiding labor
◦ Example: Suppose the all logged-in user group is
given Read and Execute permissions in the public
programs directory
◦ Then all programs in this directory and its
subdirectories will have Read and Execute
permissions for everyone who is logged in
◦ There is no need to assign permissions to
subdirectories and their files

Category Windows UNIX
Number of 6 standard, 13 Only 3: Read (read
permissions specialized if only), Write (make
needed changes), and
Execute (for
programs).
Referred to as “rwx”
For a file or Any number of The account owner
directory, individual A single group
different accounts and All other accounts
permissions can groups
be assigned

7.1 Introduction

 Password Strength Policies (from Chapter 5)
◦ Password policies must be long and complex
 At least 8 characters long
 Change of case, not at beginning
 Digit (0 through 9), not at end
 Other keyboard character, not at end
 Example: tri6#Vial

 Password is hashed and then stored
◦ Plaintext: 123456
◦ MD5 Hash: E10ADC3949BA59ABBE56E057F20F883E
 Windows password hashes are stored in the

security accounts manager (SAM)
 Shadow files separate password hashes from
other user information and restrict access

 Try all possible passwords
 Try all 1-character passwords (e.g., a, b, c)
 Try all 2-character passwords (e.g., aa, ab, bb)
 Etc.
 Broader character set increases the number of

possible combinations
 Password length increases the number of
possible combinations

Password Low Alphabetic, Alphanumeric: High
Length in Complexity: Case-Sensitive Letters and Complexity:
Characters Alphabetic, (N=52) Digits (N=62) All Keyboard
No Case Characters
(N=26) (N=80)
1 26 52 62 80
2 676 2,704 3,844 6,400
4 456,976 7,311,616 14,776,336 40,960,000
6 308,915,776 19,770,609,664 56,800,235,584 2.62144E+11
8 2.08827E+11 5.34597E+13 2.1834E+14 1.67772E+15
10 1.41167E+14 1.44555E+17 8.39299E+17 1.07374E+19
Note: On average, an attacker will have to try half of all combinations.

 Dictionary attacks
◦ Many people do not choose random passwords
◦ Dictionary attacks on common word passwords are
almost instantaneous
 Names of people, places, pets
 Names of sports teams, music, slang, dates,
phone numbers, profanity, etc.

Mangling Rules:
• Adding numbers (1password, password1, 1492password, etc.)
• Reverse spelling (drowssap)
• Entering the password twice (passwordpassword)
• Trying the password with changes in case (PaSsWoRd)
• Using leet “l337” spellings (pa55word)
• Deleting characters (pswrd)
• Trying key patterns (asdfghjkl;, qwertyuiop, etc.)
• Adding all prefixes and suffixes (passworded, postpassword)
• Trying derivations of username, e-mail, or other account
information contained in the password file

 List of pre-computed password hashes
 Results in a time-memory tradeoff
 More memory used to store rainbow tables
 The time required to crack a password is
greatly reduced

 Almost impossible for users to memorize
 Users tend to write them down
 Administrator accounts must use long,
random passwords
 Copies of administrator account passwords
must be written down and securely stored
 Testing and enforcing password policies

 Other Password Threats
◦ Keystroke Capture Software
 Trojan horse displays a fake login screen,
reports its findings to attackers
◦ Shoulder Surfing
 Attacker watches as the victim types a password
 Even partial information can be useful
 Part of the password: P_ _sw_ _d
 Length of the password (reduces time to do brute-force
cracking)

Physical USB
Keylogger

7.1 Introduction

 Mistakes Will Be Made in Hardening
◦ Do vulnerability testing
 Run Vulnerability Testing Software on

Another Computer
◦ Run the software against the hosts to be tested
◦ Interpret the reports about problems found on the
server
 This requires extensive security expertise
◦ Fix them

 Get Permission for Vulnerability Testing
◦ Looks like an attack
 Must get prior written agreement
◦ Vulnerability testing plan
 An exact list of testing activities
 Approval in writing to cover the tester
 Supervisor must agree, in writing, to hold the
tester blameless if there is damage
 Tester must not diverge from the plan

 Client PC Security Baselines
◦ For each version of each operating system
◦ Within an operating system, for different types of
computers (i.e., desktop versus notebook, on-site
versus external, high-risk versus normal risk, etc.)
 Automatic Updates for Security Patches

◦ Completely automatic updating is the only
reasonable policy

Set updates to
install
automatically
Set a day/time
that will
minimize any
inconvenience

Central location to check
security settings, including:
1. Windows Firewall
2. Windows Update
3. Virus Protection
4. Spyware Protection
5. Internet Security Settings
6. User Account Control
7. Network Access Protection

 Antivirus and Antispyware Protection
◦ Important to know the status of antivirus protection
◦ Users turn on or turn off automatic updating for
virus signatures
◦ Users do not pay the annual subscription, so they
do not get more updates
 Windows Advanced Firewall

◦ Stateful inspection firewall
◦ Accessed through the Windows Action Center

 Enable local password policies
 Minimum password length
 Maximum password age
 Implement basic account policies

 Prevents attackers from endlessly trying to
guess a user’s password
 Implement audit policy for system events

 Attempts to disable security protections or
changes in permissions

 Threats
◦ Loss or theft
◦ Loss of capital investment
◦ Loss of data that was not backed up
◦ Loss of trade secrets
◦ Loss of private information, perhaps leading to
lawsuits

 Backup
◦ Before taking the notebook out
◦ Frequently, during use outside the firm
 Use a Strong Password

◦ If attackers bypass the operating system password,
they get open access to encrypted data
◦ The loss of login passwords is a major concern

 Policies for Sensitive Data
◦ Four main policies:
 Limit what sensitive data can be stored on all
mobile devices
 Require data encryption for all data
 Protect the notebook with a strong login
password
 Audit for the previous two policies
◦ Apply policies to all mobile data on disk drives, USB
RAM drives, MP3 players that store data, and even
mobile phones that can store data

 Other Measures
◦ Teach users loss and theft protection techniques
◦ Use notebook recovery software
 Contacts the recovery company the next time
the computer connects to the Internet
 Recovery company contacts local police to
recover the software

 Importance
◦ Ordinary users lack the knowledge to manage
security on their PCs
◦ They sometimes knowingly violate security policies
◦ Centralized management can often reduce costs
through automation

 Standard Configurations for PCs
◦ May restrict applications, configuration settings,
and even the user interface
◦ Ensure that the software is configured safely
◦ Enforce policies
◦ More generally, reduce maintenance costs by
making it easier to diagnose errors

 Network Access Control (NAC)
◦ Goal is to reduce the danger created by computers
with malware
◦ Control their access to the network

◦ Stage 1: Initial Health Check
 Checks the “health” of the computer before
allowing it into the network
 Choices:
 Accept it
 Reject it
 Quarantine and pass it to a remediation
server; retest after remediation

◦ Stage 2: Ongoing Traffic Monitoring
 If traffic after admission indicates malware on
the client, drop or remediate
 Not all NAC systems do this

 Advantages of GPOs
◦ Consistency −Security policy can be applied across
an entire organization uniformly at the same time
◦ Reduced Administrative Costs − Corporate policies
can be created, applied, and managed from a
single management console
◦ Compliance − A company can ensure compliance
with laws and regulations
◦ Control − Provides a granular level of control over
users, computers, applications, and tasks

All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise without the prior written
permission of the publisher.
© 2015 Pearson Education Ltd.

Boyle ccs4 Inppt 07

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Boyle ccs4 Inppt 07

Enviado por

Direitos autorais:

Formatos disponíveis

Chapter 7

© 2015 Pearson Education Ltd.

7-2 © 2015 Pearson Education Ltd.

7-4 © 2015 Pearson Education Ltd.

7-5 © 2015 Pearson Education Ltd.

7-6 © 2015 Pearson Education Ltd.

7-7 © 2015 Pearson Education Ltd.

7-8 © 2015 Pearson Education Ltd.

7-9 © 2015 Pearson Education Ltd.

7-10 © 2015 Pearson Education Ltd.

7-11 © 2015 Pearson Education Ltd.

7-12 © 2015 Pearson Education Ltd.

7-13 © 2015 Pearson Education Ltd.

7-18 © 2015 Pearson Education Ltd.

 Windows Server Security

7-19 © 2015 Pearson Education Ltd.

Ease of learning and use

7-20 © 2015 Pearson

Pane with objects under

7-21 © 2015 Pearson Education Ltd.

7-22 © 2015 Pearson Education Ltd.

7-24 © 2015 Pearson Education Ltd.

7-27 © 2015 Pearson Education Ltd.

7-28 © 2015 Pearson Education Ltd.

7-29 © 2015 Pearson Education Ltd.

7-30 © 2015 Pearson Education Ltd.

7-33 © 2015 Pearson Education Ltd.

7-34 © 2015 Pearson Education Ltd.

7-36 © 2015 Pearson Education Ltd.

7-37 © 2015 Pearson Education Ltd.

◦ Individual accounts can be consolidated into groups

7-38 © 2015 Pearson Education Ltd.

7-39 © 2015 Pearson Education Ltd.

7-40 © 2015 Pearson Education Ltd.

7-41 © 2015 Pearson Education Ltd.

7-42 © 2015 Pearson Education Ltd.

7-43 © 2015 Pearson Education Ltd.

7-44 © 2015 Pearson Education Ltd.

7-45 © 2015 Pearson Education Ltd.

7-46 © 2015 Pearson Education Ltd.

7-47 © 2015 Pearson Education Ltd.

7-48 © 2015 Pearson Education Ltd.

7-49 © 2015 Pearson Education Ltd.

7-50 © 2015 Pearson Education Ltd.

7-51 © 2015 Pearson Education Ltd.

 Windows password hashes are stored in the

7-52 © 2015 Pearson Education Ltd.

 Broader character set increases the number of

7-54 © 2015 Pearson Education Ltd.

Note: On average, an attacker will have to try half of all combinations.

7-55 © 2015 Pearson Education Ltd.

7-57 © 2015 Pearson Education Ltd.

7-58 © 2015 Pearson Education Ltd.

7-59 © 2015 Pearson Education Ltd.

7-60 © 2015 Pearson Education Ltd.

7-61 © 2015 Pearson Education Ltd.

7-62 © 2015 Pearson Education Ltd.

7-63 © 2015 Pearson Education Ltd.

 Run Vulnerability Testing Software on

7-64 © 2015 Pearson Education Ltd.

7-65 © 2015 Pearson Education Ltd.

 Automatic Updates for Security Patches

7-66 © 2015 Pearson Education Ltd.